diff --git a/docs/NEWS b/docs/NEWS
index 3c2673af..e0ed4ec9 100644
--- a/docs/NEWS
+++ b/docs/NEWS
@@ -11,6 +11,9 @@ Version 2.1 (November 28th, 2016)
 
     * [Security] Prevent XSS in adding category and directory names, 
       thanks to Edric Teo @smarterbitbybit.
+      
+    * [Security] For multi-deletion of entries, secure the HTTP referrer
+      output to prevent XSS (Issue #435)
 
 Version 2.1-beta2 (September 26th, 2016)
 ------------------------------------------------------------------------
diff --git a/include/admin/entries.inc.php b/include/admin/entries.inc.php
index 099382be..b7de2fbf 100644
--- a/include/admin/entries.inc.php
+++ b/include/admin/entries.inc.php
@@ -402,7 +402,7 @@ switch($serendipity['GET']['adminAction']) {
             return; // blank content page, but default token check parameter is presenting a XSRF message when false
         }
         if (!is_array($serendipity['POST']['multiDelete'])) {
-            echo '<div class="msg_notice"><span class="icon-attention-circled" aria-hidden="true"></span> ' . sprintf(MULTICHECK_NO_ITEM, $_SERVER['HTTP_REFERER']) . '</div>'."\n";
+            echo '<div class="msg_notice"><span class="icon-attention-circled" aria-hidden="true"></span> ' . sprintf(MULTICHECK_NO_ITEM, serendipity_specialchars($_SERVER['HTTP_REFERER'])) . '</div>'."\n";
             break;
         }